I was searching for methods or tools to remain completely anonymous on the internet. TOR came up but it is seems that it is far from perfect. Are there any 100% foolproof ways ? Or approximately 100% foolproof ways ? I suspect that 100% may be possible. How else do cyber some criminals behind some big crimes never get caught ?

VPN providers like BlackVPN or Hide My Ass "do" that for you. You establish a secure connection to their servers and everything you do is supposed to be anonymized. Some of them keep logs (here is the risk) and others don't. I disagree with @JohnU that IPs are not indicators of anything, you can get a lot of info from them.
–
BertrandJan 17 '13 at 18:48

13 Answers
13

There is a geeky possibility to use a prepaid card (SIM) and connect
it with a mobile HSDPA dongle i.e Huawei_E220 and also you can check the section Privacy rights and prepaid mobile phones for Prepaid Mobile Phone. If you buy everything without registering you can have access to the world wide web anonymously. Because this is a known problem against cyber crime and other criminal activities it is not allowed in some countries to use such an unregistered prepaid card.

Another possibility is to use an open WI-Fi. For example in an
internet café. The operating system must be available without any
registration like Linux. The MAC-Adress of the Network-WiFi card in
the computer which is visible in the WI-Fi network must be changed
(this is easy possible in Linux)

If you want to do some research about the TOR network you can try the Linux distribution Tails where everything is setup right (for example the flash player would use another channel which goes not through the TOR network.) Which means if you are using the flash player while browsing with TOR, the data packages for the flash-player will communicate with your real ip-adress and goes not through the TOR-nodes. Tails Webiste

+1 for anonymous prepaid SIM. If you pay this in cash you're untraceable. Oh, and use gloves when handling the phone, or if they find it they can trace you by your fingerprints. Of course the phone should also be bought cash.
–
gerritJan 18 '13 at 11:02

7

cash and gloves. sounds like some really bad Mission: Impossible parody on a budget.
–
jrgJan 18 '13 at 16:05

@jan koester - how do i change the MAC address on a linux distro ? Is it a fool proof method ?
–
FirstName LastNameJan 19 '13 at 8:01

@JanKoester You would also want to make sure you do not login to any site using any identifiable information, like your online banking for example. Also, because of triangulation techniques, you don't want to stay on the same spot for too long when using your Mi-Fi or the open internet; the ideal places are the crowded ones. Still, after triangulating a possible location, it is also possible to analyse local CCTV footage.
–
LexMay 30 '13 at 8:51

With the current state of the interent and how it works (in my opinion) I do not think that it is possible at the moment. TOR (among other onion-routing services), while a good idea in theory, there are issues with exit nodes being compromised etc. Essentially, anything that accesses the 'normal' internet at any point could theoretically be traced back to you. Systems such as I2P while, inherently more anonymous, only allow access to material that is stored on the I2P network itself, so you would be a bit stuffed if you wanted to access random website.

With regards to cyber-criminals, a couple of things can happen with regards to them not being caught:

They could be living in another country that has no extradition treaty with the country that the crime is being committed in (or countries that have little/nothing in the way of cybercrime law).

If they have a reasonable level of computer knowledge, chances are they will be encrypting their disks, so even if they can be extradited/investigated/whatever, the chances of actually recovering any evidence from their machine(s) are next to nil.

I understand that factors such as extradition treaties and enormity of the crime affect the chances of getting caught. But, I would like to focus more on the technical side of the question. Any more insights on that welcome.
–
FirstName LastNameJan 17 '13 at 7:40

It is worth noting that TOR exit node issues are irrelevant if anonymity is the only concern and the information you are transmitting does not disclose your identity. The bigger problem would be if you randomly choose a controlled path of onion routers. But yes, the basic conclusion that 100% fool proof anonymity is spot on. Nothing in security is ever or will ever be 100%.
–
AJ HendersonJan 17 '13 at 14:36

All it takes is that one twitter/facebook or whatever widget to connect over that connection, and then you're screwed.
–
Adam McKissockJan 18 '13 at 18:40

@AdamMcKissock - please explain what you said. I am unable to understand it because I am not a security professional..rather I am an enthusiast.
–
FirstName LastNameJan 19 '13 at 7:52

1

Okay. When using TOR, it is technically 100% anonymous, meaning that no-one could find out who you are. However, if the exit node is compromised and you login to a service that would give away who you are (having a facebook widget on your machine for example), then who ever has compromised that exit node could potentially read your traffic, thus finding out who you are.
–
Adam McKissockJan 19 '13 at 16:18

I think Tor is probably the closest thing you can get to anonymity, but there is indeed a small risk to get exposed. Also don't forget that some criminals don't get caught because they route their traffic through multiple countries. When choosing the countries to route through they make sure they aren't friends with eachother. This makes it very difficult and will increase the time for the police to get information. (it's not because because they have access to some special anonymity network)

There are no absolutes when it comes to security. You can not achieve 100% anything. The proficient security practitioner calculates risk and applies resources proportionately. So the question becomes anonymous to who, while doing what, and for what length of time. I can be anonymous to an adversary who relies on tracking my internet footprints by not using the internet for weeks. Of course most people would not consider any abstinence tactics even for a day or two.

So, if you are using the internet how could you prevent someone from finding the IP address that you are using, and for how long?

The first tactic is to change IP addresses, and do it frequently. Depending on the kit you use, most IP capable devices have the ability to set their own IP address. This tactic does come with a penalty, because the frequent changing of IP addresses is highly anomalous. Depending on the internet service you are using at the time it may be quickly or slowly noted.

The second tactic is to spoof and twin an IP address. With the first method you are using IP addresses that are valid for your local node, but are currently unused. For spoof and twin you want to use an IP address that another node is currently using. This method only works when your network adapter can be put into promiscuous mode and read traffic destined for other IP addresses. It requires that your device time transmission so as not to interfere with the target device, and that it continue reading open traffic until the target device receives a reply from whatever server you sent to.

Even if I provide you with the best available anonymity methods, if you are doing something that would attract the attention of a national government, those methods will only delay your eventual deanonimization. Anyone with the capability of enlisting the help of large national or international telecommunication companies will find you in hours.

Nothing in security is ever 100%. Even a 1 time pad (the most secure code ever) is only secure if the key is able to be kept secure and never reused. Even if we think something is secure today, there is no guarantee that it will be tomorrow or that someone hasn't already figured out some issue they haven't released. Onion routing is just about your best hope of getting anonymity. Using Onion routing and an encrypted connection to your trusted end point is even better. Ultimately though, there is still a chance of it failing for any number of technical or even non-technical reasons.

The whole point of a one time pad is that the key is never reused. If someone is reusing a key, then it's NOT a "one time" pad by definition.
–
KenzoJan 19 '13 at 2:02

@Kenzo - that is true, but that still doesn't prevent it from being an early question for many people since the threat of analyzing the differences in the two streams isn't necessarily immediately obvious to the casual observer.
–
AJ HendersonJan 21 '13 at 13:58

A burner laptop, someone else's wireless connection (when you have an alibi to not be within 1,000 kilometers of that connection), Aircrack-ng, and gloves. Works every time, but you must be sure that you will torch that laptop after the mission is over.

If you send some request to any server (and that's what the Internet is all about) this server must be able to send you a response. So the server must be able to send his answer somewhere and this is traceable.

Even with TOR the answer reaches you in some way and this is traceable. It could be very difficult to trace it but it is possible.

If you are using a mobile network, the location of your SIM can be detected to within a few hundred feet. This means that if you live in a block of flats, you are just one in several hundred people. BUT if you then use that same SIM at work or in a hotel, LEA just need to compare a list of workers or guests with a list of residents in a block of flats. Then they can pinpoint you.

In other words, for a SIM to be anonymous, use it ONLY at home and if there are lots of people there.

Having said that, LEA can still only identify Internet usage with a SIM, not with a person. So deny everything and encrypt everything.

Using a non-local IP address is easy enough as others have mentioned, but what you do and when you do it can still lead investigators to your door given results of search traffic, forum posts and other data. Searching for "how to wash my new turtle", "replacement pontiac headlamps in Kansas", "best cure of baldness", "WOW cheats" would help narrow down your gender, location and age, and give a suggestion for possible "door to door" enquiries. Given a wider corpus of information, identity could be narrowed further. Research on de-anonymising anonymous Internet data has been successful in the past and is something to be aware of. Changing IP often should help, and performing Internet activity that was designed to introduce misleading search traffic into databases ought to assist. As another example, a Romanian hacker that I was interested in a while back posted a video on YouTube reviewing a phone. In the review there were a few seconds of footage where they hit a screen with a map that from the street names revealed their likely location at the time.

I may gravely err due to misunderstanding, but, if the essential purpose is to enable a pair (and even a group) of communication partners (who know each other) to communicate entirely anonymously, then IMHO a email system of the following kind presumably should work well:

Assumptions:

(A) Someone (hereafter designated provider) in a democratic country with comparatively liberal policy with respect to IT surveillance has the resources and the right to run a server.

(B) Ordinary mails by post from the users to the provider are not intercepted.

Mode of operation:

(a) Anyone can via an anonymous ordinary mail inform the provider a pseudonym and a corresponding password.

(b) The provider publishes on his webpage a list of the pseudonyms and the alloted serial numbers of the accounts.

(c) The user can have at any time a limited number (say 10) of posts of limited length (say 25 lines of 80 bytes) sent to him by his partner (who knows his password and who uses a neutral computer, e.g. one in an Internet-cafe) via an input window in the webpage of the provider and stored in his account in a FIFO manner.

(d) Anyone is free to view the content of any account via the account serial number or the pseudonym of the sender.

Some comments of my own:

(1) Concerning (B): A user from a highly non-democratic country may be able to let a friend living somewhere else to register for him.

(2) If the posts are well encrypted and with authentication (containing date and message serial number), even the provider couldn't do anything evil. For the worst case would be bogus posts, from which the communication partners would very soon learn of the defect. It
is of course assumed that the password system is ok such that no outsider can post into a foreign account.

(3) Possible financial problems for the provider could be solved via free donations from sponsors or users (including banknotes sent via ordinary mail) or allowing some commercial stuffs in the webpage of the provider.

(4) An attack through large amounts of bogus registrations is unlikely, for that is not done electronically but via ordinary mails, which costs something. I am not sure that server capacity exhaustion absolutely couldn't occur eventually but surmise that's in any case sufficiently satisfactorily solvable, e.g. through an expiration data of the accounts, raising a small amount of registration fees or yearly fees (with banknotes sent via ordinary mail), etc.

(5) Of course a provider with goodwill is assumed. Hopefully there would also be more than one such providers for any user to choose from.

(6) Mirror sites at different geographical locations may be considered in order to somewhat enhance the availability of the service in unexpected adverse situations. Surely the system would fail to function under the attack of an opponent who is mighty enough to break even certain fundamental security components of the Internet communication, in particular the digital signatures. (Nevertheless no secret will be lost, as long as the encryption done by the user is strong enough.)

(7) In the "degenerate" case, the provider may serve only a single group of anonymous communication partners and he himself may be a member of it.

(8) It is intuitively clear that the scheme described satisfactorily provides anonymity, unobservability, pseudonymity and unlinkability.

There are three key aspects: 1) your Internet connection; 2) who you communicate with; and 3) what you say and do. Regarding the first aspect, you can thoroughly obscure your ISP-assigned IP address, or anonymously use another IP address, such as an open WiFi access point.

However, it's very hard to "remain 100% anonymous" once you start communicating and acting. Once you're communicating with others, your anonymity and theirs become linked. It's especially problematic when you communicate with people who know your true name. Clichés such as "Loose lips sink ships." and "[N] can keep a secret, if [N-1] of them are dead." come to mind ;) And if one of them gets busted, all bets are off.

Once you start acting, you establish patterns. Consider how well Google, for example, can find what you're looking for. TLAs apply similar methods to datasets that are far more comprehensive. Browsing patterns alone can say a lot about you.

user TAILS in an internet cafe without cameras, and never log in to anything related to you, use different spelling when you type (don't make the same spelling errors) never use javascript, java, flash, etc.